1SSL_CONF_CMD(3) OpenSSL SSL_CONF_CMD(3)
2
6 SSL_CONF_cmd_value_type, SSL_CONF_cmd - send configuration command
7
9 #include <openssl/ssl.h>
10 int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
12 int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
13
15 The function SSL_CONF_cmd() performs configuration operation cmd with
16 optional parameter value on ctx. Its purpose is to simplify application
17 configuration of SSL_CTX or SSL structures by providing a common
18 framework for command line options or configuration files.
19 SSL_CONF_cmd_value_type() returns the type of value that cmd refers to.
21
23 Currently supported cmd names for command lines (i.e. when the flag
24 SSL_CONF_CMDLINE is set) are listed below. Note: all cmd names are case
25 sensitive. Unless otherwise stated commands can be used by both clients
26 and servers and the value parameter is not used. The default prefix for
27 command line commands is - and that is reflected below.
28 -sigalgs
30 This sets the supported signature algorithms for TLSv1.2 and
31 TLSv1.3. For clients this value is used directly for the supported
32 signature algorithms extension. For servers it is used to determine
33 which signature algorithms to support.
34 The value argument should be a colon separated list of signature
36 algorithms in order of decreasing preference of the form
37 algorithm+hash or signature_scheme. algorithm is one of RSA, DSA or
38 ECDSA and hash is a supported algorithm OID short name such as
39 SHA1, SHA224, SHA256, SHA384 of SHA512. Note: algorithm and hash
40 names are case sensitive. signature_scheme is one of the signature
41 schemes defined in TLSv1.3, specified using the IETF name, e.g.,
42 ecdsa_secp256r1_sha256, ed25519, or rsa_pss_pss_sha256.
43 If this option is not set then all signature algorithms supported
45 by the OpenSSL library are permissible.
46 Note: algorithms which specify a PKCS#1 v1.5 signature scheme
48 (either by using RSA as the algorithm or by using one of the
49 rsa_pkcs1_* identifiers) are ignored in TLSv1.3 and will not be
50 negotiated.
51 -client_sigalgs
53 This sets the supported signature algorithms associated with client
54 authentication for TLSv1.2 and TLSv1.3. For servers the value is
55 used in the signature_algorithms field of a CertificateRequest
56 message. For clients it is used to determine which signature
57 algorithm to use with the client certificate. If a server does not
58 request a certificate this option has no effect.
59 The syntax of value is identical to -sigalgs. If not set then the
61 value set for -sigalgs will be used instead.
62 -groups
64 This sets the supported groups. For clients, the groups are sent
65 using the supported groups extension. For servers, it is used to
66 determine which group to use. This setting affects groups used for
67 signatures (in TLSv1.2 and earlier) and key exchange. The first
68 group listed will also be used for the key_share sent by a client
69 in a TLSv1.3 ClientHello.
70 The value argument is a colon separated list of groups. The group
72 can be either the NIST name (e.g. P-256), some other commonly used
73 name where applicable (e.g. X25519) or an OpenSSL OID name (e.g
74 prime256v1). Group names are case sensitive. The list should be in
75 order of preference with the most preferred group first.
76 -curves
78 This is a synonym for the "-groups" command.
79 -named_curve
81 This sets the temporary curve used for ephemeral ECDH modes. Only
82 used by servers
83 The value argument is a curve name or the special value auto which
85 picks an appropriate curve based on client and server preferences.
86 The curve can be either the NIST name (e.g. P-256) or an OpenSSL
87 OID name (e.g prime256v1). Curve names are case sensitive.
88 -cipher
90 Sets the TLSv1.2 and below ciphersuite list to value. This list
91 will be combined with any configured TLSv1.3 ciphersuites. Note:
92 syntax checking of value is currently not performed unless a SSL or
93 SSL_CTX structure is associated with cctx.
94 -ciphersuites
96 Sets the available ciphersuites for TLSv1.3 to value. This is a
97 simple colon (":") separated list of TLSv1.3 ciphersuite names in
98 order of preference. This list will be combined any configured
99 TLSv1.2 and below ciphersuites. See ciphers(1) for more
100 information.
101 -cert
103 Attempts to use the file value as the certificate for the
104 appropriate context. It currently uses
105 SSL_CTX_use_certificate_chain_file() if an SSL_CTX structure is set
106 or SSL_use_certificate_file() with filetype PEM if an SSL structure
107 is set. This option is only supported if certificate operations are
108 permitted.
109 -key
111 Attempts to use the file value as the private key for the
112 appropriate context. This option is only supported if certificate
113 operations are permitted. Note: if no -key option is set then a
114 private key is not loaded unless the flag
115 SSL_CONF_FLAG_REQUIRE_PRIVATE is set.
116 -dhparam
118 Attempts to use the file value as the set of temporary DH
119 parameters for the appropriate context. This option is only
120 supported if certificate operations are permitted.
121 -record_padding
123 Attempts to pad TLSv1.3 records so that they are a multiple of
124 value in length on send. A value of 0 or 1 turns off padding.
125 Otherwise, the value must be >1 or <=16384.
126 -no_renegotiation
128 Disables all attempts at renegotiation in TLSv1.2 and earlier, same
129 as setting SSL_OP_NO_RENEGOTIATION.
130 -min_protocol, -max_protocol
132 Sets the minimum and maximum supported protocol. Currently
133 supported protocol values are SSLv3, TLSv1, TLSv1.1, TLSv1.2,
134 TLSv1.3 for TLS and DTLSv1, DTLSv1.2 for DTLS, and None for no
135 limit. If either bound is not specified then only the other bound
136 applies, if specified. To restrict the supported protocol versions
137 use these commands rather than the deprecated alternative commands
138 below.
139 -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3
141 Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or
142 TLSv1.3 by setting the corresponding options SSL_OP_NO_SSLv3,
143 SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2 and
144 SSL_OP_NO_TLSv1_3 respectively. These options are deprecated,
145 instead use -min_protocol and -max_protocol.
146 -bugs
148 Various bug workarounds are set, same as setting SSL_OP_ALL.
149 -comp
151 Enables support for SSL/TLS compression, same as clearing
152 SSL_OP_NO_COMPRESSION. This command was introduced in OpenSSL
153 1.1.0. As of OpenSSL 1.1.0, compression is off by default.
154 -no_comp
156 Disables support for SSL/TLS compression, same as setting
157 SSL_OP_NO_COMPRESSION. As of OpenSSL 1.1.0, compression is off by
158 default.
159 -no_ticket
161 Disables support for session tickets, same as setting
162 SSL_OP_NO_TICKET.
163 -serverpref
165 Use server and not client preference order when determining which
166 cipher suite, signature algorithm or elliptic curve to use for an
167 incoming connection. Equivalent to
168 SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
169 -prioritize_chacha
171 Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at
172 the top of its preference list. This usually indicates a client
173 without AES hardware acceleration (e.g. mobile) is in use.
174 Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used by servers.
175 Requires -serverpref.
176 -no_resumption_on_reneg
178 set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used
179 by servers.
180 -legacyrenegotiation
182 permits the use of unsafe legacy renegotiation. Equivalent to
183 setting SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
184 -legacy_server_connect, -no_legacy_server_connect
186 permits or prohibits the use of unsafe legacy renegotiation for
187 OpenSSL clients only. Equivalent to setting or clearing
188 SSL_OP_LEGACY_SERVER_CONNECT. Set by default.
189 -allow_no_dhe_kex
191 In TLSv1.3 allow a non-(ec)dhe based key exchange mode on
192 resumption. This means that there will be no forward secrecy for
193 the resumed session.
194 -strict
196 enables strict mode protocol handling. Equivalent to setting
197 SSL_CERT_FLAG_TLS_STRICT.
198 -anti_replay, -no_anti_replay
200 Switches replay protection, on or off respectively. With replay
201 protection on, OpenSSL will automatically detect if a session
202 ticket has been used more than once, TLSv1.3 has been negotiated,
203 and early data is enabled on the server. A full handshake is forced
204 if a session ticket is used a second or subsequent time. Anti-
205 Replay is on by default unless overridden by a configuration file
206 and is only used by servers. Anti-replay measures are required for
207 compliance with the TLSv1.3 specification. Some applications may be
208 able to mitigate the replay risks in other ways and in such cases
209 the built-in OpenSSL functionality is not required. Switching off
210 anti-replay is equivalent to SSL_OP_NO_ANTI_REPLAY.
211
213 Currently supported cmd names for configuration files (i.e. when the
214 flag SSL_CONF_FLAG_FILE is set) are listed below. All configuration
215 file cmd names are case insensitive so signaturealgorithms is
216 recognised as well as SignatureAlgorithms. Unless otherwise stated the
217 value names are also case insensitive.
218 Note: the command prefix (if set) alters the recognised cmd values.
220 CipherString
222 Sets the ciphersuite list for TLSv1.2 and below to value. This list
223 will be combined with any configured TLSv1.3 ciphersuites. Note:
224 syntax checking of value is currently not performed unless an SSL
225 or SSL_CTX structure is associated with cctx.
226 Ciphersuites
228 Sets the available ciphersuites for TLSv1.3 to value. This is a
229 simple colon (":") separated list of TLSv1.3 ciphersuite names in
230 order of preference. This list will be combined any configured
231 TLSv1.2 and below ciphersuites. See ciphers(1) for more
232 information.
233 Certificate
235 Attempts to use the file value as the certificate for the
236 appropriate context. It currently uses
237 SSL_CTX_use_certificate_chain_file() if an SSL_CTX structure is set
238 or SSL_use_certificate_file() with filetype PEM if an SSL structure
239 is set. This option is only supported if certificate operations are
240 permitted.
241 PrivateKey
243 Attempts to use the file value as the private key for the
244 appropriate context. This option is only supported if certificate
245 operations are permitted. Note: if no PrivateKey option is set then
246 a private key is not loaded unless the
247 SSL_CONF_FLAG_REQUIRE_PRIVATE is set.
248 ChainCAFile, ChainCAPath, VerifyCAFile, VerifyCAPath
250 These options indicate a file or directory used for building
251 certificate chains or verifying certificate chains. These options
252 are only supported if certificate operations are permitted.
253 RequestCAFile
255 This option indicates a file containing a set of certificates in
256 PEM form. The subject names of the certificates are sent to the
257 peer in the certificate_authorities extension for TLS 1.3 (in
258 ClientHello or CertificateRequest) or in a certificate request for
259 previous versions or TLS.
260 ServerInfoFile
262 Attempts to use the file value in the "serverinfo" extension using
263 the function SSL_CTX_use_serverinfo_file.
264 DHParameters
266 Attempts to use the file value as the set of temporary DH
267 parameters for the appropriate context. This option is only
268 supported if certificate operations are permitted.
269 RecordPadding
271 Attempts to pad TLSv1.3 records so that they are a multiple of
272 value in length on send. A value of 0 or 1 turns off padding.
273 Otherwise, the value must be >1 or <=16384.
274 NoRenegotiation
276 Disables all attempts at renegotiation in TLSv1.2 and earlier, same
277 as setting SSL_OP_NO_RENEGOTIATION.
278 SignatureAlgorithms
280 This sets the supported signature algorithms for TLSv1.2 and
281 TLSv1.3. For clients this value is used directly for the supported
282 signature algorithms extension. For servers it is used to determine
283 which signature algorithms to support.
284 The value argument should be a colon separated list of signature
286 algorithms in order of decreasing preference of the form
287 algorithm+hash or signature_scheme. algorithm is one of RSA, DSA or
288 ECDSA and hash is a supported algorithm OID short name such as
289 SHA1, SHA224, SHA256, SHA384 of SHA512. Note: algorithm and hash
290 names are case sensitive. signature_scheme is one of the signature
291 schemes defined in TLSv1.3, specified using the IETF name, e.g.,
292 ecdsa_secp256r1_sha256, ed25519, or rsa_pss_pss_sha256.
293 If this option is not set then all signature algorithms supported
295 by the OpenSSL library are permissible.
296 Note: algorithms which specify a PKCS#1 v1.5 signature scheme
298 (either by using RSA as the algorithm or by using one of the
299 rsa_pkcs1_* identifiers) are ignored in TLSv1.3 and will not be
300 negotiated.
301 ClientSignatureAlgorithms
303 This sets the supported signature algorithms associated with client
304 authentication for TLSv1.2 and TLSv1.3. For servers the value is
305 used in the signature_algorithms field of a CertificateRequest
306 message. For clients it is used to determine which signature
307 algorithm to use with the client certificate. If a server does not
308 request a certificate this option has no effect.
309 The syntax of value is identical to SignatureAlgorithms. If not set
311 then the value set for SignatureAlgorithms will be used instead.
312 Groups
314 This sets the supported groups. For clients, the groups are sent
315 using the supported groups extension. For servers, it is used to
316 determine which group to use. This setting affects groups used for
317 signatures (in TLSv1.2 and earlier) and key exchange. The first
318 group listed will also be used for the key_share sent by a client
319 in a TLSv1.3 ClientHello.
320 The value argument is a colon separated list of groups. The group
322 can be either the NIST name (e.g. P-256), some other commonly used
323 name where applicable (e.g. X25519) or an OpenSSL OID name (e.g
324 prime256v1). Group names are case sensitive. The list should be in
325 order of preference with the most preferred group first.
326 Curves
328 This is a synonym for the "Groups" command.
329 MinProtocol
331 This sets the minimum supported SSL, TLS or DTLS version.
332 Currently supported protocol values are SSLv3, TLSv1, TLSv1.1,
334 TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2. The value None will disable
335 the limit.
336 MaxProtocol
338 This sets the maximum supported SSL, TLS or DTLS version.
339 Currently supported protocol values are SSLv3, TLSv1, TLSv1.1,
341 TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2. The value None will disable
342 the limit.
343 Protocol
345 This can be used to enable or disable certain versions of the SSL,
346 TLS or DTLS protocol.
347 The value argument is a comma separated list of supported protocols
349 to enable or disable. If a protocol is preceded by - that version
350 is disabled.
351 All protocol versions are enabled by default. You need to disable
353 at least one protocol version for this setting have any effect.
354 Only enabling some protocol versions does not disable the other
355 protocol versions.
356 Currently supported protocol values are SSLv3, TLSv1, TLSv1.1,
358 TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2. The special value ALL
359 refers to all supported versions.
360 This can't enable protocols that are disabled using MinProtocol or
362 MaxProtocol, but can disable protocols that are still allowed by
363 them.
364 The Protocol command is fragile and deprecated; do not use it. Use
366 MinProtocol and MaxProtocol instead. If you do use Protocol, make
367 sure that the resulting range of enabled protocols has no "holes",
368 e.g. if TLS 1.0 and TLS 1.2 are both enabled, make sure to also
369 leave TLS 1.1 enabled.
370 Options
372 The value argument is a comma separated list of various flags to
373 set. If a flag string is preceded - it is disabled. See the
374 SSL_CTX_set_options(3) function for more details of individual
375 options.
376 Each option is listed below. Where an operation is enabled by
378 default the -flag syntax is needed to disable it.
379 SessionTicket: session ticket support, enabled by default. Inverse
381 of SSL_OP_NO_TICKET: that is -SessionTicket is the same as setting
382 SSL_OP_NO_TICKET.
383 Compression: SSL/TLS compression support, enabled by default.
385 Inverse of SSL_OP_NO_COMPRESSION.
386 EmptyFragments: use empty fragments as a countermeasure against a
388 SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It is
389 set by default. Inverse of SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
390 Bugs: enable various bug workarounds. Same as SSL_OP_ALL.
392 DHSingle: enable single use DH keys, set by default. Inverse of
394 SSL_OP_DH_SINGLE. Only used by servers.
395 ECDHSingle: enable single use ECDH keys, set by default. Inverse of
397 SSL_OP_ECDH_SINGLE. Only used by servers.
398 ServerPreference: use server and not client preference order when
400 determining which cipher suite, signature algorithm or elliptic
401 curve to use for an incoming connection. Equivalent to
402 SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
403 PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a
405 ChaCha20 cipher at the top of its preference list. This usually
406 indicates a mobile client is in use. Equivalent to
407 SSL_OP_PRIORITIZE_CHACHA. Only used by servers.
408 NoResumptionOnRenegotiation: set
410 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by
411 servers.
412 UnsafeLegacyRenegotiation: permits the use of unsafe legacy
414 renegotiation. Equivalent to
415 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
416 UnsafeLegacyServerConnect: permits the use of unsafe legacy
418 renegotiation for OpenSSL clients only. Equivalent to
419 SSL_OP_LEGACY_SERVER_CONNECT. Set by default.
420 EncryptThenMac: use encrypt-then-mac extension, enabled by default.
422 Inverse of SSL_OP_NO_ENCRYPT_THEN_MAC: that is, -EncryptThenMac is
423 the same as setting SSL_OP_NO_ENCRYPT_THEN_MAC.
424 AllowNoDHEKEX: In TLSv1.3 allow a non-(ec)dhe based key exchange
426 mode on resumption. This means that there will be no forward
427 secrecy for the resumed session. Equivalent to
428 SSL_OP_ALLOW_NO_DHE_KEX.
429 MiddleboxCompat: If set then dummy Change Cipher Spec (CCS)
431 messages are sent in TLSv1.3. This has the effect of making TLSv1.3
432 look more like TLSv1.2 so that middleboxes that do not understand
433 TLSv1.3 will not drop the connection. This option is set by
434 default. A future version of OpenSSL may not set this by default.
435 Equivalent to SSL_OP_ENABLE_MIDDLEBOX_COMPAT.
436 AntiReplay: If set then OpenSSL will automatically detect if a
438 session ticket has been used more than once, TLSv1.3 has been
439 negotiated, and early data is enabled on the server. A full
440 handshake is forced if a session ticket is used a second or
441 subsequent time. This option is set by default and is only used by
442 servers. Anti-replay measures are required to comply with the
443 TLSv1.3 specification. Some applications may be able to mitigate
444 the replay risks in other ways and in such cases the built-in
445 OpenSSL functionality is not required. Disabling anti-replay is
446 equivalent to setting SSL_OP_NO_ANTI_REPLAY.
447 VerifyMode
449 The value argument is a comma separated list of flags to set.
450 Peer enables peer verification: for clients only.
452 Request requests but does not require a certificate from the
454 client. Servers only.
455 Require requests and requires a certificate from the client: an
457 error occurs if the client does not present a certificate. Servers
458 only.
459 Once requests a certificate from a client only on the initial
461 connection: not when renegotiating. Servers only.
462 RequestPostHandshake configures the connection to support requests
464 but does not require a certificate from the client post-handshake.
465 A certificate will not be requested during the initial handshake.
466 The server application must provide a mechanism to request a
467 certificate post-handshake. Servers only. TLSv1.3 only.
468 RequiresPostHandshake configures the connection to support requests
470 and requires a certificate from the client post-handshake: an error
471 occurs if the client does not present a certificate. A certificate
472 will not be requested during the initial handshake. The server
473 application must provide a mechanism to request a certificate post-
474 handshake. Servers only. TLSv1.3 only.
475 ClientCAFile, ClientCAPath
477 A file or directory of certificates in PEM format whose names are
478 used as the set of acceptable names for client CAs. Servers only.
479 This option is only supported if certificate operations are
480 permitted.
481
483 The function SSL_CONF_cmd_value_type() currently returns one of the
484 following types:
485 SSL_CONF_TYPE_UNKNOWN
487 The cmd string is unrecognised, this return value can be use to
488 flag syntax errors.
489 SSL_CONF_TYPE_STRING
491 The value is a string without any specific structure.
492 SSL_CONF_TYPE_FILE
494 The value is a file name.
495 SSL_CONF_TYPE_DIR
497 The value is a directory name.
498 SSL_CONF_TYPE_NONE
500 The value string is not used e.g. a command line option which
501 doesn't take an argument.
502
504 The order of operations is significant. This can be used to set either
505 defaults or values which cannot be overridden. For example if an
506 application calls:
507 SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
509 SSL_CONF_cmd(ctx, userparam, uservalue);
510 it will disable SSLv3 support by default but the user can override it.
512 If however the call sequence is:
513 SSL_CONF_cmd(ctx, userparam, uservalue);
515 SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
516 SSLv3 is always disabled and attempt to override this by the user are
518 ignored.
519 By checking the return code of SSL_CONF_cmd() it is possible to query
521 if a given cmd is recognised, this is useful if SSL_CONF_cmd() values
522 are mixed with additional application specific operations.
523 For example an application might call SSL_CONF_cmd() and if it returns
525 -2 (unrecognised command) continue with processing of application
526 specific commands.
527 Applications can also use SSL_CONF_cmd() to process command lines
529 though the utility function SSL_CONF_cmd_argv() is normally used
530 instead. One way to do this is to set the prefix to an appropriate
531 value using SSL_CONF_CTX_set1_prefix(), pass the current argument to
532 cmd and the following argument to value (which may be NULL).
533 In this case if the return value is positive then it is used to skip
535 that number of arguments as they have been processed by SSL_CONF_cmd().
536 If -2 is returned then cmd is not recognised and application specific
537 arguments can be checked instead. If -3 is returned a required argument
538 is missing and an error is indicated. If 0 is returned some other error
539 occurred and this can be reported back to the user.
540 The function SSL_CONF_cmd_value_type() can be used by applications to
542 check for the existence of a command or to perform additional syntax
543 checking or translation of the command value. For example if the return
544 value is SSL_CONF_TYPE_FILE an application could translate a relative
545 pathname to an absolute pathname.
546
548 Set supported signature algorithms:
549 SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
551 There are various ways to select the supported protocols.
553 This set the minimum protocol version to TLSv1, and so disables SSLv3.
555 This is the recommended way to disable protocols.
556 SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1");
558 The following also disables SSLv3:
560 SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
562 The following will first enable all protocols, and then disable SSLv3.
564 If no protocol versions were disabled before this has the same effect
565 as "-SSLv3", but if some versions were disables this will re-enable
566 them before disabling SSLv3.
567 SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");
569 Only enable TLSv1.2:
571 SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.2");
573 SSL_CONF_cmd(ctx, "MaxProtocol", "TLSv1.2");
574 This also only enables TLSv1.2:
576 SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
578 Disable TLS session tickets:
580 SSL_CONF_cmd(ctx, "Options", "-SessionTicket");
582 Enable compression:
584 SSL_CONF_cmd(ctx, "Options", "Compression");
586 Set supported curves to P-256, P-384:
588 SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");
590
592 SSL_CONF_cmd() returns 1 if the value of cmd is recognised and value is
593 NOT used and 2 if both cmd and value are used. In other words it
594 returns the number of arguments processed. This is useful when
595 processing command lines.
596 A return value of -2 means cmd is not recognised.
598 A return value of -3 means cmd is recognised and the command requires a
600 value but value is NULL.
601 A return code of 0 indicates that both cmd and value are valid but an
603 error occurred attempting to perform the operation: for example due to
604 an error in the syntax of value in this case the error queue may
605 provide additional information.
606
608 SSL_CONF_CTX_new(3), SSL_CONF_CTX_set_flags(3),
609 SSL_CONF_CTX_set1_prefix(3), SSL_CONF_CTX_set_ssl_ctx(3),
610 SSL_CONF_cmd_argv(3), SSL_CTX_set_options(3)
611
613 SSL_CONF_cmd() was first added to OpenSSL 1.0.2
614 SSL_OP_NO_SSL2 doesn't have effect since 1.1.0, but the macro is
616 retained for backwards compatibility.
617 SSL_CONF_TYPE_NONE was first added to OpenSSL 1.1.0. In earlier
619 versions of OpenSSL passing a command which didn't take an argument
620 would return SSL_CONF_TYPE_UNKNOWN.
621 MinProtocol and MaxProtocol where added in OpenSSL 1.1.0.
623 AllowNoDHEKEX and PrioritizeChaCha were added in OpenSSL 1.1.1.
625
627 Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
628 Licensed under the OpenSSL license (the "License"). You may not use
630 this file except in compliance with the License. You can obtain a copy
631 in the file LICENSE in the source distribution or at
632 <https://www.openssl.org/source/license.html>.
6331.1.1 2018-09-11 SSL_CONF_CMD(3)